From 60f1454f9af0c0d83ade2195af8723b5bb54805a Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Thu, 28 Nov 2019 09:41:05 +0100 Subject: [PATCH] README.md: Add Security section --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 30323bf..4ab8c93 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,13 @@ mkDerivation { Please open a PR if you've found another feature, determined any of the '?' or found an inaccuracy! +# Security + +Files not matched by gitignore rules will end up in the Nix store, which is readable by any process. + +gitignore.nix does not yet understand `git-crypt`'s metadata, so don't call `gitignoreSource` on directories containing such secrets or their parent directories. +This applies to any Nix function that uses the `builtins.path` or `builtins.filterSource` functions. + # Contributing This project isn't perfect (yet) so please submit test cases and fixes as pull requests. Before doing anything drastic, it's a good idea to open an issue first to discuss and optimize the approach.